For as little as a few thousand dollars, online attackers can purchase enough personal information to perhaps alter voter registration information in as many as 35 states and the District of Columbia, according to a new Harvard study. Dubbed “voter identity theft” by study authors Latanya Sweeney, professor of government and technology in residence, research analyst Ji Su Yoo, and graduate student Jinyan Zang, the vulnerability could be exploited by internet attackers attempting to disenfranchise many voters where registration information can be changed online. Armed with personal information obtained through legitimate or illegitimate sources, hackers could learn enough to impersonate voters and change key information using the online registration systems. One tactic, researchers said, would be to simply change voters’ addresses, making it appear — to poll workers at least — as though they were voting at the wrong locations. Those voters might be forced to cast provisional ballots, which in many circumstances are not counted. The study is described in a Sept. 6 paper published in the Journal of Technology Science.
Though the researchers don’t report evidence of attackers already exploiting the vulnerability, Sweeney, Yoo, and Zang said the fear is that it might be used to undermine confidence in elections or even to swing the result in favor of a particular candidate. “If the goal is to undermine any belief in the electoral system, then they might very well want to target a particular community at large … [because] that could cause a kind of hysteria,” Sweeney said. “People will say: ‘What kind of system is this? We didn’t get a chance to vote. Our whole community didn’t get a chance to vote.’
“If you look at the outcome of the 2016 election … there were several states where the margin of victory was within 1 or 2 or 5 percent,” she continued. “If you want to change the result in a state that was determined by less than 1 percent of the votes, what is the smallest number of changes you can make, and where do you make them?”
Hoping to prevent attackers from exploiting the vulnerability, Sweeney, Yoo, and Zang notified election officials in the at-risk states of their findings prior to publication, attended a national convention of such officials to discuss the findings, and will hold a workshop, to which election officials have been invited.